CN113312519A - Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium - Google Patents

Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium Download PDF

Info

Publication number
CN113312519A
CN113312519A CN202110586188.2A CN202110586188A CN113312519A CN 113312519 A CN113312519 A CN 113312519A CN 202110586188 A CN202110586188 A CN 202110586188A CN 113312519 A CN113312519 A CN 113312519A
Authority
CN
China
Prior art keywords
graph
time
node
matrix
algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202110586188.2A
Other languages
Chinese (zh)
Inventor
李生
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hefei Holographic Wangyu Technology Co ltd
Original Assignee
Hefei Holographic Wangyu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hefei Holographic Wangyu Technology Co ltd filed Critical Hefei Holographic Wangyu Technology Co ltd
Priority to CN202110586188.2A priority Critical patent/CN113312519A/en
Publication of CN113312519A publication Critical patent/CN113312519A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • G06F16/9035Filtering based on additional data, e.g. user or group profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/904Browsing; Visualisation therefor
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/907Retrieval characterised by using metadata, e.g. metadata not derived from the content or metadata generated manually
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Landscapes

  • Engineering & Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computational Linguistics (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Library & Information Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides an enterprise network data anomaly detection method based on a time graph algorithm, which comprises the following steps: collecting network information of a user accessing data resources, constructing a time directed graph according to the network information, and visualizing the time directed graph; a time graph of user access data is divided by using a sliding time window, and a series of undirected weighted graphs G (T is 1 and 2 … … T) representing relationships among users are constructedt(V, E); undirected weighted graph G through relationships between userst(V, E) and recursion of the number of layers K of the neighbor node, by the structural characteristics of the graph nodeExtraction algorithm for obtaining graph node feature matrix NFn*f(ii) a From the graph node feature matrix NFn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f(ii) a Feature matrix NF based on graph node structuren*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r(ii) a S6: and carrying out global anomaly analysis, and calculating the anomaly caused by the role change of the specific user at the corresponding time point.

Description

Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium
Technical Field
The invention relates to the technical field of network information security, in particular to a method and a system for detecting enterprise network data abnormity based on a time chart algorithm, computer equipment and a storage medium.
Background
The enterprise data assets contain a plurality of business confidential and secret data of the enterprise, the data assets are important targets of internal and external threats of the enterprise, if the data of the enterprise is maliciously acquired, huge loss can be brought to the enterprise, along with the fact that computer networks play more and more important roles in the enterprise, data leakage risks brought by the characteristics of interconnectivity, openness and the like of the computer networks threaten the data security of the enterprise all the time, because the importance of the enterprise data makes the enterprise data extremely easy to become targets and carriers of malicious attacks, the enterprise network security is more and more emphasized, a plurality of enterprises construct an enterprise network security system according to the actual conditions of the enterprises, devices such as a firewall, an IDS (intrusion detection system) and the like are deployed to prevent the malicious penetration and attack from the external network of the enterprise, although the enterprise data assets are protected by various security products layer by layer, but an internal illegal employee or an external hacker can always find the vulnerability and obtain the access right exceeding the legal access right, thereby causing a key data leakage event.
The disclosure number CN109274691A provides a method, an apparatus, and a medium for implementing enterprise data security, which mainly monitor traffic related information generated by a user during access operation, and perform an alarm and/or block the access operation by determining whether the traffic related information meets a preset condition, so as to achieve the purpose of protecting enterprise data security, and although the method can achieve a certain effect in protecting enterprise data security, the following disadvantages still exist: according to the detection method, after data such as time, users, events and resources in the enterprise network change, preset conditions related to the data need to be reset, and once the data change, the whole data need to be integrated, which is very troublesome; in addition, once entering the network by using a legal account number, an attacker pretending to be a legal employee or an internal employee who carelessly performs constant value measurement can unscrupulously scan and access important data assets in the network under the condition of meeting preset conditions.
Disclosure of Invention
The invention aims to provide a method, a system and a storage medium for detecting enterprise network data abnormity based on a time graph algorithm, so as to solve the problems in the background technology.
In order to achieve the purpose, the invention provides the following technical scheme:
a method for detecting enterprise network data abnormity based on a time map algorithm comprises the following steps:
s1: collecting network information of a user accessing data resources, constructing a time directed graph according to the network information, and visualizing the time directed graph;
s2: a time graph of user access data is divided by using a sliding time window, and a series of undirected weighted graphs G (T is 1, 2t(V,E);
S3: undirected weighted graph G through relationships between userst(V, E), recursion of the layer number K of the neighbor node, and obtaining a graph node feature matrix NF through a graph node structure feature extraction algorithmn*f
S4: from the graph node feature matrix NFn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f
S5: feature matrix NF based on graph node structuren*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r
S6: and carrying out global anomaly analysis, and calculating the anomaly caused by the role change of the specific user at the corresponding time point.
Preferably, the specific step of step S1 is:
s101: deploying a network probe on a network convergence layer, and monitoring and collecting network information of a user accessing data resources;
s102: extracting the time, user, resource and event quadruple of the network information log, and constructing a time directed graph with the user and the resource as nodes and the event as edges;
s103: the time directed graph is visualized.
Preferably, for the application server and the software, i.e. the service platform, in step S101, the collected network information includes time, a user account, a user IP, an event, a resource URL, and an application name; for the file server, the collected network information comprises time, a user account, a user IP, an event, a file name and a server address; for an email system, the collected network information is email information with attachments, including time, sender account, sender IP, recipient account, recipient IP, event, and file name.
Preferably, the step S2 is to divide the time window of the user access data time chart by days.
Preferably, the graph node feature matrix NF in step S3n*fThe node structure characteristics in the system comprise three types of current node characteristics, self-centering network characteristics and recursive characteristics.
Preferably, the specific step of step S6 is:
s601: performing global anomaly analysis, and judging whether behaviors are abnormal at the current moment;
s602: using the character feature matrix RF in step S4r*fCalculating the average role change of all node role pairs in the graph of each time window to obtain a one-dimensional time sequence, wherein the last time window is the current window;
s603: calculating whether all user roles have abnormal changes in the current time window according to a time series abnormality detection algorithm (S-H-ESD);
s604: when the current window is detected to be abnormal, the isolated Forest algorithm (Isolation Forest) is used for calculating and determining which users have abnormal role change, and the current users have abnormal behaviors.
In order to achieve the above object, the present invention further provides an enterprise network data anomaly detection system based on a time map algorithm, wherein the enterprise network data anomaly detection system comprises:
the resource collection processing module is used for collecting network information of the user access data resources, constructing a time directed graph according to the network information and visualizing the time directed graph;
a time graph dividing module for dividing the time graph of the user access data by using a sliding time window to construct a series of undirected weighted graphs G (T is 1, 2t(V,E);
A graph node feature extraction module for undirected weighted graph G through relationships between userst(V, E), recursion of the layer number K of the neighbor node, and obtaining a graph node feature matrix NF through a graph node structure feature extraction algorithmn*f
A graph node role extraction module for extracting the role of the graph node according to the graph node feature matrix NFn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f
A graph node role matrix extraction module for extracting a graph node structural feature matrix NF according to the graph node structural feature matrixn*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r(ii) a And;
and the real-time abnormity analysis module for the role change of the graph node is used for carrying out global abnormity analysis and calculating abnormity caused by the role change of a specific user at a corresponding time point.
In order to achieve the above object, the present invention further provides a computer device for detecting enterprise network data anomaly based on a time map algorithm, wherein the computer device includes: the system comprises a memory, a processor and an enterprise network data abnormity detection program which is stored on the memory and can run on the processor, wherein the enterprise network data abnormity detection program is configured to realize the steps of the enterprise network data abnormity detection method.
In order to achieve the above object, the present invention further provides a storage medium for detecting enterprise network data abnormality based on a time graph algorithm, wherein the storage medium stores a computer program, and the computer program is capable of implementing the steps of the method for detecting enterprise network data abnormality when executed by a processor.
Compared with the prior art, the invention has the beneficial effects that:
1. according to the method, the relationship between the user and the data resource is more effectively represented by the user access data resource time directed graph constructed according to the time, the user, the event and the resource quadruple, each newly added log source is taken as a subgraph of the whole time directed graph by abstracting the quadruple, the influence on the existing part of the model is avoided, the log agility integration can be carried out, and the iteration and agile development are facilitated;
2. according to the method, according to the fact that different users have different roles in an enterprise and different behavior modes of different roles for accessing data resources, logs of the data resources are extracted by using time, users, events and resource four-tuples, a time chart of the data resources accessed by each user is constructed, the behavior modes of the users are mined by using graph analysis and a machine learning algorithm, abnormal behaviors related to the resources are identified by detecting the behavior modes of the data resources accessed by employees, and a traceability analysis tool is provided for key data leakage of the enterprise.
Drawings
FIG. 1 is a flow chart of a method for enterprise network data anomaly detection in accordance with the present invention;
FIG. 2 is a flowchart illustrating the detailed steps of step S1 of the data anomaly detection method for the enterprise network according to the present invention;
FIG. 3 is a flowchart illustrating the detailed steps of step S6 of the data anomaly detection method for the enterprise network according to the present invention;
FIG. 4 is a resource class diagram of user access data in the method for detecting data anomalies in an enterprise network according to the present invention;
FIG. 5 is a flowchart illustrating an abnormal behavior analysis performed in the method for detecting data abnormality in an enterprise network according to the present invention;
fig. 6 is a block diagram of the system for detecting data abnormality in an enterprise network according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example (b):
referring to fig. 1-5, the present invention provides a technical solution:
a method for detecting enterprise network data abnormity based on a time map algorithm comprises the following steps:
s1: collecting network information of a user accessing data resources, constructing a time directed graph according to the network information, and visualizing the time directed graph.
The specific steps of step S1 are as follows:
s101: deploying a network probe on a network convergence layer, and monitoring and collecting network information of a user accessing data resources;
s102: extracting the time, user, resource and event quadruple of the network information log, and constructing a time directed graph with the user and the resource as nodes and the event as edges;
s103: the time directed graph is visualized.
In an enterprise network, the main ways for users to access data resources include: the system comprises an application server, a file server, an electronic mail system and a software service platform, wherein for a main mode of accessing data resources by a user, collected network information comprises time, a user account, a user IP (Internet protocol), an event, a resource URL (uniform resource locator) and an application name for the application server and the software service platform in the step S101; for the file server, the collected network information comprises time, a user account, a user IP, an event, a file name and a server address; for an email system, the collected network information is email information with attachments, including time, sender account, sender IP, recipient account, recipient IP, event, and file name.
In step S102, the physical implementation of the constructed time directed graph mainly separates static attributes from time-related attributes, and the time directed graph composed of time, user account, unique identifier of resource (including file name and application URL) and event is stored in one physical table, while other attributes of the quadruple are stored in a separate physical table. The design abstracts the quadruple and takes each newly added log source as a subgraph of the digraph in the whole time, thereby avoiding influencing the existing part of the model, being capable of performing agile integration of the log and being convenient for iteration and agile development.
The visualization of the time-oriented graph in step S103 mainly includes two elements: the system comprises a time line and a directed graph, and an administrator investigates the condition that a user accesses a data resource through the operation of the time line, such as moving, time period filtering and the like. The time directed graph data visualization not only directly shows the administrator the behavior changes of users accessing the data resources, but also provides a convenient context for the administrator to further investigate the abnormal behavior detected by the algorithm.
S2: a time graph of user access data is divided by using a sliding time window, and a series of undirected weighted graphs G (T is 1, 2t(V,E)。
Wherein, the undirected weighted graph GtIn the implementation process, the step S2 divides the time window of the user access data time graph by days, thus ensuring the balance between the computation complexity and the granularity of feature extraction.
S3: undirected weighted graph G through relationships between userst(V, E), recursion of the layer number K of the neighbor node, and obtaining a graph node feature matrix NF through a graph node structure feature extraction algorithmn*f
Wherein, the node feature extraction algorithm summarizes the own structural features of the nodes and uses them to generate new structural features recursively, and the graph node feature matrix NF in step S3n*fThe node structural features in include the current nodeThe node self-centering method comprises three types of point characteristics, self-centering network characteristics and recursive characteristics, wherein the current node characteristics are the degrees of the nodes, the self-centering network characteristics comprise the weights of the internal edges of the self-centering network and the weights of the external connecting edges, and the recursive characteristics comprise the degrees of all the neighbor nodes of the current node and the average value sum of the self-centering network characteristics.
S4: from the graph node feature matrix NFn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f
Wherein, the non-negative matrix factorization algorithm is used for carrying out NF on the graph node feature matrixn*fDecomposing to obtain role characteristic matrix RFr*fAnd the proper number of roles is calculated through the minimum description length criterion, so that the calculation complexity and the approximation accuracy are reasonably balanced.
S5: feature matrix NF based on graph node structuren*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r
S6: and carrying out global anomaly analysis, and calculating the anomaly caused by the role change of the specific user at the corresponding time point.
The specific steps of step S6 are as follows:
s601: performing global anomaly analysis, and judging whether behaviors are abnormal at the current moment;
s602: using the character feature matrix RF in step S4r*fCalculating the average role change of all node role pairs in the graph of each time window to obtain a one-dimensional time sequence, wherein the last time window is the current window;
s603: calculating whether all user roles have abnormal changes in the current time window according to a time series abnormality detection algorithm (S-H-ESD);
s604: when the current window is detected to be abnormal, the isolated Forest algorithm (Isolation Forest) is used for calculating and determining which users have abnormal role change, and the current users have abnormal behaviors.
The invention is mainly applied to detecting account number collapse and data resource leakage threats, because whether an attacker pretending to be a legal employee or an internal employee carrying out centralized monitoring, a thief and a legal employee with a legal account number are very similar, the biggest difference is the way of using resources, once the legal account number enters a network, the thief and the legal employee can unscrupulously scan and access important data assets in the network, and then the traditional detection method lacks real-time behavior tracking analysis of a user in the network and cannot discover abnormal behaviors of the attacker in the network in time.
Therefore, when the invention works, normal employees use enterprise data resources, because of different roles and have different behavior habits, such as resource access types, host usage and login accounts, and the behavior habits of the employees with the same role are similar, legal employees perform necessary resource access and related operations according to the working requirements, extract the quadruplets described above from the employee network behavior log, construct a time directed graph of users and resources, and form a time graph of a user and resource access relationship which tends to be stable, when detecting, step S6 can identify abnormal behaviors of illegal employees using stolen accounts, the abnormal behaviors include searching for data resources, lateral movement and data leakage of enterprises, such as accessing data resources which are never accessed by the enterprises, accessing data resources by using other devices for the first time, the number of accessed resources is far larger than the range of normal access number, therefore, abnormal behaviors of the staff are detected, and the data are prevented from being risked.
Referring to fig. 6, to achieve the above object, the present invention further provides an enterprise network data anomaly detection system based on a time map algorithm, wherein the enterprise network data anomaly detection system includes:
the resource collection processing module is used for collecting network information of the user access data resources, constructing a time directed graph according to the network information and visualizing the time directed graph;
a time graph dividing module for dividing the time graph of the user access data by using a sliding time window to construct a series of undirected weighted graphs G (T is 1, 2t(V,E);
A graph node feature extraction module for undirected weighted graph G through relationships between userst(V, E), recursion of the layer number K of the neighbor node, and obtaining a graph node feature matrix NF through a graph node structure feature extraction algorithmn*f
A graph node role extraction module for extracting the role of the graph node according to the graph node feature matrix NFn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f
A graph node role matrix extraction module for extracting a graph node structural feature matrix NF according to the graph node structural feature matrixn*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r(ii) a And;
and the real-time abnormity analysis module for the role change of the graph node is used for carrying out global abnormity analysis and calculating abnormity caused by the role change of a specific user at a corresponding time point.
In order to achieve the above object, the present invention further provides a computer device for detecting enterprise network data anomaly based on a time map algorithm, wherein the computer device includes: the system comprises a memory, a processor and an enterprise network data abnormity detection program which is stored on the memory and can run on the processor, wherein the enterprise network data abnormity detection program is configured to realize the steps of the enterprise network data abnormity detection method.
In order to achieve the above object, the present invention further provides a storage medium for detecting enterprise network data abnormality based on a time graph algorithm, wherein the storage medium stores a computer program, and the computer program is capable of implementing the steps of the method for detecting enterprise network data abnormality when executed by a processor.
Although embodiments of the present invention have been shown and described, it will be appreciated by those skilled in the art that changes, modifications, substitutions and alterations can be made in these embodiments without departing from the principles and spirit of the invention, the scope of which is defined in the appended claims and their equivalents.

Claims (9)

1. A method for detecting enterprise network data abnormity based on a time map algorithm is characterized by comprising the following steps:
s1, collecting the network information of the user access data resource, constructing a time directed graph according to the network information, and visualizing the time directed graph;
s2, dividing the time graph of the user access data by using a sliding time window, and constructing a series of undirected weighted graphs G (T is 1, 2t(V,E);
S3 undirected weighted graph G through relationships between userst(V, E), recursion of the layer number K of the neighbor node, and obtaining a graph node feature matrix NF through a graph node structure feature extraction algorithmn*f
S4, according to the characteristic matrix NF of the graph nodesn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f
S5, according to the structural feature matrix NF of the graph noden*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r
And S6, carrying out global anomaly analysis and calculating the anomaly caused by the role change of the specific user at the corresponding time point.
2. The method for detecting the enterprise network data abnormity based on the time map algorithm according to claim 1, characterized in that: the specific steps of step S1 are:
s101, deploying a network probe on a network convergence layer, and monitoring and collecting network information of a user accessing data resources;
s102, extracting the time, user, resource and event quadruple of the network information log, and constructing a time directed graph with the user and the resource as nodes and the event as edges;
and S103, visualizing the time directed graph.
3. The method for detecting the enterprise network data abnormity based on the time map algorithm as claimed in claim 2, wherein: in step S101, for the application server and the software, i.e., the service platform, the collected network information includes time, a user account, a user IP, an event, a resource URL, and an application name; for the file server, the collected network information comprises time, a user account, a user IP, an event, a file name and a server address; for an email system, the collected network information is email information with attachments, including time, sender account, sender IP, recipient account, recipient IP, event, and file name.
4. The method for detecting the enterprise network data abnormity based on the time map algorithm according to claim 1, characterized in that: the step S2 divides the time window of the user access data time map by days.
5. The method for detecting the enterprise network data abnormity based on the time map algorithm according to claim 1, characterized in that: the graph node feature matrix NF in the step S3n*fThe node structure characteristics in the system comprise three types of current node characteristics, self-centering network characteristics and recursive characteristics.
6. The method for detecting the enterprise network data abnormity based on the time map algorithm according to claim 1, characterized in that: the specific steps of step S6 are:
s601, carrying out global anomaly analysis and judging whether behaviors are abnormal at the current moment;
s602, utilizing the character feature matrix RF in the step S4r*fCalculating the average role change of all node role pairs in the graph of each time window to obtain a one-dimensional time sequence, wherein the last time window is the current window;
s603, calculating whether all user roles have abnormal changes in the current time window according to a time series abnormal detection algorithm (S-H-ESD);
s604, detecting the current window is abnormal, calculating and determining which users have abnormal role change by utilizing an Isolation Forest algorithm (Isolation Forest), and detecting which users have abnormal behaviors at the current moment.
7. An enterprise network data anomaly detection system based on a time graph algorithm is characterized by comprising:
the resource collection processing module is used for collecting network information of the user access data resources, constructing a time directed graph according to the network information and visualizing the time directed graph;
a time graph dividing module for dividing the time graph of the user access data by using a sliding time window to construct a series of undirected weighted graphs G (T is 1, 2t(V,E);
A graph node feature extraction module for undirected weighted graph G through relationships between userst(V, E), recursion of the layer number K of the neighbor node, and obtaining a graph node feature matrix NF through a graph node structure feature extraction algorithmn*f
A graph node role extraction module for extracting the role of the graph node according to the graph node feature matrix NFn*fInner node structure characteristics, calculating the role of each node in the graph, and using a non-negative matrix factorization algorithm to obtain a graph node characteristic matrix NFn*fTo obtain a character feature matrix RFr*f
A graph node role matrix extraction module for extracting a graph node structural feature matrix NF according to the graph node structural feature matrixn*fAnd a character feature matrix RFr*fCalculating a node role matrix NRn*r(ii) a And;
and the real-time abnormity analysis module for the role change of the graph node is used for carrying out global abnormity analysis and calculating abnormity caused by the role change of a specific user at a corresponding time point.
8. An enterprise network data anomaly detection computer device based on a time graph algorithm is characterized in that: the computer device includes: a memory, a processor, and an enterprise network data anomaly detection program stored on the memory and executable on the processor, the enterprise network data anomaly detection program configured to implement the steps of the enterprise network data anomaly detection method of any one of claims 1-6.
9. An enterprise network data anomaly detection storage medium based on a time graph algorithm is characterized in that: the storage medium has stored thereon a computer program enabling, when executed by a processor, the steps of the enterprise network data anomaly detection method according to any one of claims 1-6.
CN202110586188.2A 2021-05-27 2021-05-27 Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium Withdrawn CN113312519A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110586188.2A CN113312519A (en) 2021-05-27 2021-05-27 Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110586188.2A CN113312519A (en) 2021-05-27 2021-05-27 Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113312519A true CN113312519A (en) 2021-08-27

Family

ID=77375683

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110586188.2A Withdrawn CN113312519A (en) 2021-05-27 2021-05-27 Enterprise network data anomaly detection method based on time graph algorithm, system computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113312519A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710344A (en) * 2022-03-30 2022-07-05 华中科技大学 Intrusion detection method based on tracing graph

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114710344A (en) * 2022-03-30 2022-07-05 华中科技大学 Intrusion detection method based on tracing graph
CN114710344B (en) * 2022-03-30 2022-12-02 华中科技大学 Intrusion detection method based on traceability graph

Similar Documents

Publication Publication Date Title
US11212299B2 (en) System and method for monitoring security attack chains
US10205735B2 (en) Graph-based network security threat detection across time and entities
Oprea et al. Detection of early-stage enterprise infection by mining large-scale log data
US9231962B1 (en) Identifying suspicious user logins in enterprise networks
US9462009B1 (en) Detecting risky domains
US8239951B2 (en) System, method and computer readable medium for evaluating a security characteristic
Zhang et al. Causality reasoning about network events for detecting stealthy malware activities
US9154516B1 (en) Detecting risky network communications based on evaluation using normal and abnormal behavior profiles
US9838419B1 (en) Detection and remediation of watering hole attacks directed against an enterprise
US20200336508A1 (en) Method and system to stitch cybersecurity, measure network cyber health, generate business and network risks, enable realtime zero trust verifications, and recommend ordered, predictive risk mitigations
Jajodia et al. Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response
US20130081065A1 (en) Dynamic Multidimensional Schemas for Event Monitoring
Alsubhi et al. FuzMet: A fuzzy‐logic based alert prioritization engine for intrusion detection systems
CN111600856A (en) Safety system of operation and maintenance of data center
CN106534146A (en) Safety monitoring system and method
González-Granadillo et al. ETIP: An Enriched Threat Intelligence Platform for improving OSINT correlation, analysis, visualization and sharing capabilities
CN111510463B (en) Abnormal behavior recognition system
US11818160B2 (en) Predicting cyber risk for assets with limited scan information using machine learning
Awan et al. Identifying cyber risk hotspots: A framework for measuring temporal variance in computer network risk
US20240089278A1 (en) Anomalous network behaviour identification
US11595418B2 (en) Graphical connection viewer for discovery of suspect network traffic
Pecchia et al. Filtering security alerts for the analysis of a production saas cloud
CN116451215A (en) Correlation analysis method and related equipment
CN115733646A (en) Network security threat assessment method, device, equipment and readable storage medium
Kamarudin et al. A new unified intrusion anomaly detection in identifying unseen web attacks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication
WW01 Invention patent application withdrawn after publication

Application publication date: 20210827